NAT and Tunnel IPsec

-Sylvain-

Hello.

I wish I could do NAT from a LAN to another LAN to reach a machine that is connected via an IPsec tunnel.
(by rereading myself, I'm sure to be about being very explicit)

My config :

**Site A :**
Public Ip : 111.112.113.114
Subnet A1 : 10.10.10.0/24

**Site B :**
Public Ip : 121.122.123.124
Subnet B1 : 10.10.20.0/24
Subnet B2 : 10.10.21.0/24

**Tunnel IPsec**
Site A | Subnet A1 <=> Site B | Subnet B1
Public Ip : 111.112.113.114 <=> 121.122.123.124
Subnet : 10.10.10.0/24 <=> 10.10.20.0/24

I can’t change the configuration of the IPsec tunnel.

My problem: I need to reach the site A | subnet A1 from the site B/ Subnet B2
For this I configured the PfSense to do NAT between the subnet B1 and B2, ex: 10.10.21.5 => (NAT) 10.10.20.5

**Creating a Virtual IP :**
10.10.20.5/32

**Creating a 1:1 NAT Mapping**
External Subnet: Single Host => 10.10.20.5
Internal IP   : Single Host => 10.10.21.5
Destination   : Single Host => 10.10.10.64
Interface   : Net_Subnet_B1(10.10.20.1)

But it doesn’t work.
When I ping I feel like the answer doesn’t come back.

Result of a packet capture on the Net_Subnet_B1 interface:

(Empty)

Result of a packet capture on the Net_Subnet_B2 interface:

10:22:34.201564 IP 10.10.21.5 > 10.10.10.64: ICMP echo request, id 1, seq 62, length 40
10:22:38.751450 IP 10.10.21.5 > 10.10.10.64: ICMP echo request, id 1, seq 63, length 40

Result of a packet capture on the IpSec interface:

10:17:53.012406 (authentic,confidential): SPI 0x39926288: IP 10.10.20.5 > 10.10.10.64: ICMP echo request, id 1, seq 58, length 40
10:17:57.758798 (authentic,confidential): SPI 0x39926288: IP 10.10.20.5 > 10.10.10.64: ICMP echo request, id 1, seq 59, length 40

Do you have any idea?

viragomann

@sylvain
You can't do this with simple NAT. You have to use BINAT in IPSec p2 at site B.
If you cannot modify the IPSec settings you're probably lost.

-Sylvain-

@viragomann
Thank you for your reply.
I can change the config of site B, but i cann't change the config of site A (This is the partner's site) and on the config of IPsec Tunnel unless it changes nothing for the partner (he doesn't want to change anything on his side).

Regarding the BINAT, I've looked, but does it have to be the same size of subnet for the local network and the translated network ?

Ex :
Local Network 10.10.21.0/23
Translated Network : 10.10.20.0/24

viragomann

@sylvain
I think, the setting at B should be sufficient to get it work, but not sure. Try it out.

Leave the existing P2 as it is and add an additional one with the same settings except networks:
Local Network: Address > 10.10.21.5
NAT/BINAT translation: Address > 10.10.20.5
Remote Network: Network > 10.10.10.0/24

I'm not sure if it works, cause of the overlapping local networks.

-Sylvain-

@viragomann
These scenarios don't work, but I also think that it's reloated to my config because the translated network matches an existing network.

I'm going to make some adjustments to my config to try again friday.

Thanks for the leads and the help.